Skip to content

Instantly share code, notes, and snippets.

@abtrout
Created July 8, 2014 14:51
Show Gist options
  • Save abtrout/d64fb11ad6f9f49fa325 to your computer and use it in GitHub Desktop.
Save abtrout/d64fb11ad6f9f49fa325 to your computer and use it in GitHub Desktop.
Using password-store with git repository synching

Password-store keeps your passwords (or any other sensitive information) saved in GnuPG encrypted files organized in ~/.password-store. For more information about GPG, consult the GNU Privacy Handbook.

Getting started

To get started, install pass and generate a keypair.

$ brew install pass
$ gpg --gen-key
$ gpg --list-keys

Back up the keypair and store it in a safe place.

$ gpg --export-secret-keys --armor <fingerprint> > privkey.asc
$ gpg --export --armor <fingerprint> > pubkey.asc

Start using pass

$ pass init <fingerprint>

Each entry is its own file, so you can store whatever text information you'd like, eg. usernames, email addresses, answers to secret questions, two factor auth backup codes, etc. Read the man page for a complete description of its features.

A particularly nice feature is the ability to keep your password store in a git repository.

Managing your password-store with git

Initialize a new bare repository on your server.

server $ git init --bare ~/.password-store

Make your local password store a git respository and add a remote URL that points to your server.

$ pass git init
$ pass git remote add origin user@server:~/.password-store
$ pass git push

Using our password store on a new host is easy now.

Import your keypair.

$ gpg --import pubkey.asc
$ gpg --allow-secret-key-import --import privkey.asc

Trust them if necessary.

$ gpg --edit-key <fingerprint>

Clone your repository to ~/.password-store.

$ git clone user@server:~/.password-store

At this point you can use pass on each host and manually synch them with pass git push and pass git pull. To delete your password store, just rm -rf ~/.password-store.

@kevinnls
Copy link

kevinnls commented May 11, 2023

oops. that was wrong. it should have been <GPG ID> (i did not know as much back then)

the output of gpg -k will give you something to the effect of

/home/jodoe/.gnupg/pubring.kbx
--------------------------------------------------
pub ..................
        FC029385
uid       .............

pub .................
        98375234
uid       ............

that second line of each key, is the GPG ID (it starts with a blank space). putting together multiple GPG IDs during init, you can set your password store to be unlocked by all those users

pass init FC029385 9875234

or more generically

pass init <GPG_ID_1> ... <GPG_ID_n>

@lesar
Copy link

lesar commented Oct 24, 2023

Good post.
Forgive me but can you please change all your prompt command by modify the initial start:
server $ ...
client $ ...

best regards
Leonardo

@stremblay
Copy link

What is <fingerprint>?

That's what I'd like to know as well. What are we supposed to put as fingerprint? Is it something generated by GPG?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment